Is your security ecosystem robust?

Here's how to answer that question

By Shamlan Siddiqi

Mar 01, 2018

NOTE: This is part 2 of a two-part series about the principles of data security. Click here for part 1.

It is well known that system administrators have full access to all aspects of an agency or organizations’ IT systems. This access creates a central threat vector and a relatively easy target for hackers, essentially the “keys to the castle”.

By hacking, stealing, or social engineering administrator credentials hackers obtain unrestricted access to critical data. This data can be manipulated in many ways and often used for nefarious purposes and/or sold on the dark web. Sophisticated rules and algorithms can be developed to facilitate seamless back doors to an agency or organizations critical data.

Footprints are easily erased, covering any evidence of tampering with log files. Historically, system administrators find out after the fact that an unauthorized user has triggered a job or accessed a system. In most cases, unfortunately, the damage is already done and the attack is being publicized on social media and other news sources.

Today’s cybersecurity programs in many cases have proven to be reactive and planned as an afterthought. Programs are not granular enough to prevent attacks and create meaningful intelligence on the data across its lifecycle. Like protecting a medieval castle, every point of entry must be considered and defended.

To consistently and effectively secure network and applications data, the following items need to be considered for a robust data security platform:

Pervasive. All data must be protectable, always, including streaming data and field elements within databases.

Persistent. All data must be secured, always, allowing no margin for error or malicious behavior. An agency or organization’s IT system(s) must fail ‘closed’ with the ideal data security platform implemented.

3. Domain Independent. Data security must travel with the data independent of the domain. The data owner/author, must be able to track use of the data, and revoke data access.

Transparent to the User. User operation must require little to no additional knowledge to use the features and functions of a platform to secure data. It should be intuitive and simple, without programming or intensive set-up, in some cases requirements may dictate the complexity.

Governed. Must accept and maintain corporate and data governance rules at the data level.

Automatic. Security can’t be thwarted, either maliciously or accidentally.

Recoverable. The data owner (author) must be able to revoke data access even when data moves to other domains.

Auditable and Analyzable. Audits are fully trackable across foreign domains and behavioral analytics provide data analysis regardless of where the data travels or exists.

Scalable. Must provide automated threat prevention, active response, AI and quantum proofing functionality to deal with issues and threats as they occur regardless or the size and scope of a threat.

IoT (Internet of Things) Ready. Must provide a secure fabric that works across all data, across all smart devices.(Galinski, 2017)

The key technical components of a robust data security solution should include the following:

Data Management Operating System. A DMOS that runs virtually on top of other operating systems and platforms.

Sophisticated Key Structure

An asymmetric (public/private) key system. An agency or organizations keys are all generated on their own network which leads to a “zero-knowledge system”, meaning that there is no way for the solution provider to see the clients’ data. That includes extending zero-knowledge to the cloud hosts that they may use. Agencies and organizations should be protected not only from hackers on those other systems, they are also protected from rogue employees of those cloud hosts.

Hierarchical Keys

Fractional Keys

Multiple Endpoint Connectivity. Design the solution to connect with multiple endpoints – whether computer, mobile, database or IoT. Computer and mobile clients are standardized and easily deployed. Database connectors require implementation that varies and is dependent upon the database platform and architecture.

Quantum Proofing of data should be considered in anticipation of the increased use of quantum computers for hacking purposes.

External plugins. In situations with external “actors” or subscribers of data, the data security solution should provide plug-ins for those external subscribers that control security and data access while simultaneously providing an additional toolset to manage and secure data via user subscriptions. As an example, PDF or other reports can be timed to expire based on subscription date and can be limited to only the registered user, and cannot be opened by, or shared with, non-paying subscribers (in scenarios where this may be applicable)

Inbound/Outbound Data. An effective data security solution must secure both inbound and outbound data from inception to destruction. Policies and rule sets provide a flexible method for creating a rule-base that provides the convenience of “set-it and forget-it” automation.

Once you have identified a solution that covers the robust requirements, it is important to consider integration points for your data security solution with your existing security ecosystem – SIEM tools, identity and access management tools (moving towards federated identity management and attribute based access control), threat intelligence platforms etc.

Given the increased threat vectors across all industries, it has become imperative for agencies to think outside-of-the-box when it comes to cyber security. A “security first” posture is table stakes and should not be taken lightly. The level of sophistication of hackers is growing, as is the technology available to enable hacks. It is incumbent upon agencies and organizations to be proactive and invest in protecting the keys to the castle and the most important treasure –data!

About the Author

Shamlan Siddiqi is the chief technology officer for NTT Data's public sector business.